"trust list" - Search Certificates in Linux Trust Store

PKI Certificate Tutorials - Herong's Tutorial Examples

∟"trust list" - Search Certificates in Linux Trust Store

This section provides tutorial examples on searching certificates in Linux Trust Store using the 'trust list' command.

If you want to search for specific certificates in the Linux Trust Store, you can use the "trust list" command as shown below.

1. Search for certificates by their usage (purpose): server-auth, client-auth, email and code-signing.

herong$ trust list --purpose=code-signing

pkcs11:id=%54%62%70%63%f1%75%84%43%58%8e%d1%16%20%b1%c6%ac%1a%bc%f6%89;type=cert
    type: certificate
    label: vTrus Root CA
    trust: anchor
    category: authority
...

2. Search for certificates with a filter on categories: ca-anchors (trusted root certificates), blacklist (distrusted root certificates), trust-policy (all root certificates) and certificates (all certificates).

herong$ trust list --filter=blacklist 
pkcs11:id=%88%68%BF%E0%8E%35%C4%3B%38%6B%62%F7%28%3B%84%81%C8%0C%D7%4D;type=cert
    type: certificate
    label: Explicitly Distrust DigiNotar Root CA
    trust: blacklisted
    category: authority
...

3. Search for a certificate by its PKCS#11 URI.

herong$ trust list \
  --filter="pkcs11:id=%03%DE%50%35%56%D1%4C%BB%66%F0%A3%E2%1B%1B%C3%97%B2%3D%D1%55"

pkcs11:id=%03%de%50%35%56%d1%4c%bb%66%f0%a3%e2%1b%1b%c3%97%b2%3d%d1%55;type=cert
    type: certificate
    label: DigiCert Global Root CA
    trust: anchor
    category: authority

3. Search for certificates by their subject CNs, using the "grep" command.

herong$ trust list | grep -B 5 -A 5 "label: DigiCert Trusted"

    trust: anchor
    category: authority

pkcs11:id=%ec%d7%e3%82%d2%71%5d%64%4c%df%2e%67%3f%e7%ba%98%ae%1c%0f%4f;type=cert
    type: certificate
    label: DigiCert Trusted Root G4
    trust: anchor
    category: authority

pkcs11:id=%2e%e3%db%b2%49%d0%9c%54%79%5c%fa%27%2a%fe%cc%4e%d2%e8%4e%54;type=cert
    type: certificate